Digitally signing your email with DKIM or DMARC

It's easy for some people to spoof email -- that is, send email that pretends to be from somebody else. To combat spoofing, you can digitally sign outbound email from CERVIS to prove that an email actually came from somebody in your organization and not somebody pretending to be from your organization.

Digitally signing outbound email is REQUIRED if you use an external custom email domain (i.e. volunteer@myorg.org) for your CERVIS email.

CERVIS allows DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication. Email service providers that support DKIM or DMARC, such as Gmail and Yahoo!, check inbound email to see whether an organization that claimed to have signed a message, actually did. The signature is associated with the organization's registered domain name. If the message is properly signed, the email service provider delivers the message normally. If the message is not signed or is improperly signed, the email service provider may deliver it with a caution to the user, or discard it.

Updating your DNS records to use the CERVIS domain key

Before you can digitally sign your outbound email from CERVIS, you must update the Domain Name System (DNS) records of your domain so that the CERVIS domain key can be located and used for verifying signatures. The DNS update creates a redirect to the domain key on the CERVIS domain. When an email service provider receives an email with your domain name, the provider looks up the CERVIS domain key to verify the signature of the email.

As an added security measure, CERVIS rotates its DKIM encryption keys on a recurring basis. As long as you use the method described below to add domain keys to your DNS record, you won't have to make any changes when the keys are updated. The lookup will automatically locate the current CERVIS domain keys.

Note: Working with domain names can be confusing because it's something most of us rarely do. Consult your system administrator, if you have one, before proceeding.

The UI and terminology may vary depending on your registrar, but the concepts are the same.

To add the domain key to your DNS records

Log in to your domain registrar's control panel.

Use the login name and password that you created when you registered the domain name.

Look for the option to change DNS records.

The option might be called something like DNS Management, Name Server Management, or Advanced Settings.

Locate the CNAME records for your domain.

A CNAME record, or Canonical Name record, is a type of alias used by the Domain Name System (DNS). CNAME records let you point to the CERVIS domain to use its domain key.

Look for an option to add a CNAME record.

Create a CNAME record with the following values:

In the Host Record field (or equivalent), enter:

cervis._domainkey.your_email_domain.com

where your_email_domain.com is the external email domain you use for your CERVIS email. Example: "myorg.org". The domain can have a different top-level domain, such as .net, .org, or .ca.

Example host record value:

cervis._domainkey.myorg.org

In the Alias To field (or equivalent), enter:

cervis._domainkey.cervistech.com.

Example:

Note: It takes time for changes to the DNS system to be implemented. Typically, it can take anywhere from a few hours to a day, depending on your Time To Live (TTL) settings in the registrar's control panel.

Enabling digital signatures in CERVIS

Once the steps above have been completed, please contact CERVIS Customer Support to enable custom DKIM signing for your account.